Client Certificates: It's easy, man!

21st Apr 2007

MyOpenID.com recently added support for logging in with client certificates. I've heard people talking about client certificates lots of times, but I always assumed that it'd never work due to it being complicated and difficult for users to understand. PKI is too complicated for users to understand, right? Why else would almost every site in existance still use passwords as the primary authentication mechanism?

With some scepticism I tried out the client certificate feature on MyOpenID.com. I logged in, went to my account settings, clicked on the “Add a Certificate” button and immediately my browser (Opera) took over and asked me to choose a password to protect my client certificates. I entered one. It then asked me to confirm that I wanted to install the cert. I clicked “Install”. Then it was done. Surely that can't be all there is to it?

So I logged out and went back to the login screen. I elected to log in using a client cert. Opera asked for that password I entered earlier, and then I was logged in. Magic!

Of course, MyOpenID.com still needs to keep around the username/password support because I may need to log in when I'm not on a computer with a client cert installed. On computers I control, however, I know that I should not enter my username/password at MyOpenID.com ever again.

This is one of the great things about OpenID: MyOpenID.com can innovate, and suddenly I benefit from what they develop across every OpenID-enabled site. The hard work can be done in one place and have benefits across the web. I expect that this is just the beginning of the innovation we'll see in the future as OpenID becomes more widespread and OpenID Providers begin to compete with one another on features such as this.